Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Mathematics of radio engineering wikipedia , lookup
History of mathematics wikipedia , lookup
Ethnomathematics wikipedia , lookup
Foundations of mathematics wikipedia , lookup
Approximations of π wikipedia , lookup
Discrete mathematics wikipedia , lookup
List of prime numbers wikipedia , lookup
History of logarithms wikipedia , lookup
List of important publications in mathematics wikipedia , lookup
Quadratic reciprocity wikipedia , lookup
Factorization of polynomials over finite fields wikipedia , lookup
Old and new deterministic factoring algorithms James McKee and Richard Pinch Department of Pure Mathematics and Mathematical Statistics University of Cambridge, 16 Mill Lane, Cambridge CB2 1SB, England email: [email protected] [email protected] In recent years, there has been spectacular progress in the practical art of factoring. By contrast, the theoretical problem of nding deterministic algorithms which provably factor composite n has made little, if any, progress since Pollard ([Pol]) and Strassen ([Str]) showed that FFT techniques could be utilised to factor an integer n in O(n = ) steps. (Here, and in similar estimates, is a positive real number, as small as we please, with the implied constant in the Oestimate depending on the choice of .) If an extension of the Riemann Hypothesis were to be proved to hold, then class group methods ([Sha], [Sch]) would factor n in O(n = ) steps. Without using Fourier transforms, the best asymptotic running time of a deterministic factoring algorithm is O(n = ) steps. Three such algorithms have been published, by R.S. Lehman ([Leh], 1974), H.W. Lenstra ([Len], 1984), and the rst author ([McK1], in press). In this paper, two more O(n = ) factoring algorithms are presented, bringing the total to ve. Although largely of theoretical interest, any new factoring method raises questions about the security of the moduli used in the RSA cryptosystem ([RSA]). Moduli susceptible to attack by any particular method should be avoided. One of the new algorithms presented here does indeed make a new class of RSA moduli vulnerable. The other does not, but it has a feature unique amongst the O(n = ) algorithms: if n = pq with p and q prime, p < q, and a bound Q is known for q, then the algorithm runs in O(Q = n) steps. For numbers n which are a product 1 4+ 1 5+ 1 3+ 1 3+ 1 3+ 1 2 1 of two primes both of order n = , we get an O(n = ) algorithm, without using Fourier transforms. For convenience, we shall refer to numbers which are a product of two primes of similar size as RSA numbers, since this is the traditional shape for numbers used as RSA moduli. Thus we have a deterministic O(n = ) algorithm for factoring RSA numbers, without using FFT. In this paper we shall review briey the old algorithms mentioned above, and introduce some new ideas. 1. FFT, and factoring by computing discrete logarithms Using Fourier transforms, a polynomial of degree d over Z=nZ can be evaluated at d places in O(d n ) steps ([Tur], Corollary 2 to Theorem 4). If n is composite, then the least prime p dividing n can be written as p = am + b, with m = dn = e, 0 a; b < m. We evaluate Q b<m (mX + b) at X = 0; : : :; m ? 1 in O(n = ) steps, and look for gcd(n; Q b<m (ma + b)) > 1. If we get a gcd equal to n, then we backtrack to nd p. This gives Strassen's O(n = ) algorithm. Pollard's approach was to compute discrete logarithms modulo p using babystep-giant-step techniques. Writing p?1 = am+b, with m = dn = e, 0 a; b < m, we compute powers of 2m (giant steps) and powers of 2? (baby steps) and look for a match mod p. To nd this we evaluate the polynomial Q b<m (X ? 2?b ) at X = 2m ; 2 m; : : :; 2 m? m in O(n = ) steps, and look for gcd(n; Q b<m (2am ? 2?b )) > 1. Again we may need to backtrack if we get a gcd equal to n, but now there this the additional problem that 2 might have the same order modulo all primes dividing n. This problem is tackled satisfactorily in [Pol]. The rst of our new O(n = ) algorithms is similar to Pollard's, in that it works by computing a discrete logarithm by the baby-step-giant-step technique. The distinction is that it computes discrete logarithms mod n, rather than mod 1 2 1 4+ 1 4+ 1+ 1 4 0 1 4+ 0 1 4+ 1 4 1 0 2 ( 1) 1 4+ 0 1 3+ 2 p. In this way one avoids the need to use FFT to nd a match mod p between two lists dened mod n: here we seek a match mod n, which can be found simply by sorting. The obvious diculty with taking discrete logarithms mod n is that the multiplicative group mod n is too large: we would expect to take O(n = ) steps to nd a discrete logarithm by the baby-step-giant-step technique. Here we use a trick. Since we seek an O(n = ) algorithm, we may suppose (after trial division) that n = pq with p and q primes, n = < p < q. Then we compute 2n 2q p? (mod n). Since q + p = O(n = ), we can compute the base 2 discrete logarithm of 2n mod n in O(n = ) steps. From this, q + p is determined modulo b, the order of 2 in (Z=nZ) . If b > n = , then we can nd q + p, and hence p, in O(n = ) steps. Otherwise, we must deal with the possibility that 2 has the same small order mod p and mod q, and we show how to nd an element of suciently large order to serve in place of 2, all within O(n = ) steps. If we know n = pq with q < Q, then the above algorithm can be adapted to run in time O(Q = n). For RSA numbers we have Q = O(n = ), so that we get a deterministic O(n = ) factoring algorithm for such numbers, without using Fourier transforms. 2. Factoring with class groups If n is composite and n 3 (mod 4), then Shanks's class group method ([Sha]) amounts to a search for a binary quadratic form of discriminant ?n not in the principal genus. Without the Riemann hypothesis, we are not aware of how to nd such a form in anything better than O(n = ) steps. If n 1 (mod 4), then there is an additional problem arising from what Shanks calls `highly recessive' elements of the class group. A practical means of dealing with these is given in [Sha], and if one assumes the extended Riemann Hypothesis, then there is no diculty ([Sch]), and the method even becomes O(n = ). 1 2+ 1 3+ 1 3 + 2 3 1 3+ 1 3 1 3+ 1 3+ 1 2 1 2 1 4+ 1 2+ 1 5+ 3 1 In an extension of a method of Euler, the rst author showed that one could obtain an O(n = ) factoring algorithm by considering representations of multiples of n by binary quadratic forms ([McK1]). This has the unique feature amongst O(n = ) factoring algorithms that it requires only O(n = ) trial divisions. q 3. Factoring by rational approximations to q=p, or q=p Suppose that n = pq with p and q primes, and n = < p < q. Lehman ([Leh]) showed that by considering good rational approximations to q=p, one can extend Fermat's factoring method to factor n in O(n = ) steps. q A more practical variant, which uses good rational approximations to q=p is given in [McK2]. This is not a deterministic algorithm, so is of less relevance here. It has an expected running time of O(n = ) steps, and shares with Shanks's SQUFOF the advantageous feature of requiring an accuracy of only half the bits of n for most of the computations. 4. Factoring by looking for divisors in residue classes Lehmer (see [BS]) observed that if n = pq with p q 1 (mod k), p < q, then Fermat's method can be speeded up to run in O(q=k ) steps. Here p and q need not be prime. Lenstra ([Len]) discovered a more generally useful method. He showed that if m > n = , then all prime divisors of n in any given residue class mod m can be found in polynomial time. One easily gets an O(n = ) factoring algorithm, although the most useful application of Lenstra's result is to certain primality proving methods. In a similar vein, we show that Lehmer's method can be extended. If n = pq with p q (mod k), p < q, then we show that n can be factored in O(q=k ) steps. Thus, whereas Lehmer's method gained a factor of k for one 1 3+ 1 3+ 1 6 1 3 1 3+ 1 4+ 2 1 3 1 3+ 2 2 4 in k numbers, this generalisation gains a factor of k for one in k numbers. It makes certain RSA moduli vulnerable to attack. Moreover, we show that by taking k n = , and testing O(n = ) dierent multiples of n, we get another O(n = ) deterministic factoring algorithm. For factoring RSA numbers n = pq, we have a more practical variant, with expected running time O(n = ) steps, under the assumption that there exist small and , and k between n = and 2n = , such that p ? q 0 (mod k). References [BS] J. Brillhart and J.L. Selfridge, `Some factorizations of 2n 1 and related results', Mathematics of Computation 21 (1967), 87{96. [Leh] R. Sherman Lehman, `Factoring large integers', Mathematics of Computation, volume 28, number 126 (1974), 637{646. [Len] H.W. Lenstra, Jr., `Divisors in residue classes', Mathematics of Computation, volume 42, number 165 (1984), 331{340. [McK1] J.F. McKee, `Turning Euler's factoring method into a factoring algorithm', Bulletin of the London Mathematical Society, to appear. [McK2] J.F. McKee, `Interpolating the quadratic sieve', in preparation. [Pol] J.M. Pollard, `Theorems on factorization and primality testing', Proceedings of the Cambridge Philosophical Society 76 (1974), 521{528. [RSA] R.L. Rivest, A. Shamir and L. Adleman, `A method for obtaining digital signatures and public-key cryptosystems', Communications of the ACM, volume 21, number 2 (1978). [Sch] R.J. Schoof, `Quadratic elds and factorization', in Computational Methods in Number Theory, Part II, edited by H.W. Lenstra, Jr. and R. Tijdeman, Mathematical Centre Tracts 155, Mathematisch Centrum, Amsterdam 1982. 2 2 1 3 1 3 1 3+ 1 4+ 1 4 1 4 5 [Sha] D. Shanks, `Class number, a theory of factorization and genera', Proceedings of the Symposium in Pure Mathematics 20, AMS (1971), 415{440. [Str] V. Strassen, `Einige Resultate uber Berechnungskomplexitat', Jahresber. Deutsch. Math.-Verein. 78 (1976/77), 1{8. [Tur] J.W.M. Turk, `Fast arithmetic operations on numbers and polynomials', in Computational Methods in Number Theory, Part I, edited by H.W. Lenstra, Jr. and R. Tijdeman, Mathematical Centre Tracts 154, Mathematisch Centrum, Amsterdam 1982. 6